+971 56 974 0358
Heymann Institute
Articles/Governance
Governance

The Decision-Rights Playbook for IT Governance

Most IT governance problems are described too broadly.

GH
Gustav Heymann
Managing Partner · Jan 6, 2026 · 3 min read

"The committee is slow." "The policy is unclear." "The business bypasses IT." "Risk is not understood."

Those may all be true. But they are symptoms.

The better starting point is the decision.

Governance Begins With a Named Decision

Every governance mechanism should be tied to a decision.

Approve a SaaS vendor that will process personal data.

Accept risk for an unsupported legacy system.

Approve an architecture exception.

Authorize use of company data in an AI tool.

Mandate new cloud cost guardrails.

Approve a major technology investment.

These are not abstract governance topics. They are decisions with owners, evidence, tradeoffs, and consequences.

If the decision is not named, governance becomes vague.

Why Charters Are Not Enough

Many organizations create committee charters.

The charter says the forum oversees technology risk, strategy, investment, or architecture. That may be true, but it is not specific enough.

Effective governance requires a decision-rights inventory.

For each decision, the organization should define the approver, accountable owner, contributors, evidence, service level, escalation path, and record location.

This turns governance from meeting structure into operating discipline.

The Decision-Rights Card

A useful card includes:

  • Decision name.
  • Decision type and risk tier.
  • Accountable owner.
  • Approver.
  • Required contributors.
  • Evidence required.
  • Forum.
  • Decision service level.
  • Escalation route.
  • Record location.
  • Review trigger.

This may sound simple. That is the point.

Governance often fails because simple questions are not answered.

Human Factors

Decision rights are not only procedural.

They shape behavior.

If teams know who can decide, they stop shopping for approval. If evidence is clear, reviewers stop asking for new material late in the process. If service levels are defined, governance becomes more predictable. If escalation is explicit, unresolved tradeoffs do not linger.

This reduces friction.

It also improves accountability.

Measuring the System

Governance should measure the machinery, not just the motion.

Useful measures include decision cycle time, percentage of decisions made within service level, exception aging, repeat exceptions, policy adoption, decision rework, unresolved escalations, and evidence completeness.

These measures show whether governance is functioning.

Meeting volume does not.

Practical Implementation

Start with the top ten technology decisions that create delay, risk, or confusion.

Interview the people involved. Map how the decision is made today. Identify ambiguity. Define the decision card. Test it on live work. Adjust based on evidence.

Then publish the inventory and train participants.

Decision rights only help if people know how to use them.

The Closing Test

The test is not whether a committee exists.

The test is whether everyone knows which decision it owns, what evidence it needs, and who is accountable for the outcome.

That is where IT governance becomes tangible.

Related insights